Qakbot runs detailed profile scans of infected computers, downloads additional modules and offers sophisticated encryption. Starting point for the attacks: The cybercriminals skilfully latch onto real e-mail communication lines. The Qakbot botnet follows in Emotet's footsteps.
Sophos has published a technical analysis of Qakbot showing that the botnet is becoming increasingly sophisticated and dangerous for businesses. In the article “Qakbot Injects Itself into the Middle of Your Conversations”, SophosLabs describes a recent Qakbot campaign that shows how the botnet spreads through email thread hijacking and collects a variety of profile information from newly infected computers. This includes, among other things, all configured user accounts and permissions, installed software and running services. The botnet also downloads a number of additional malicious modules that extend the functionality of the core botnet.
Qakbot's malware code features unconventional encryption. This also serves to disguise the content of the communication. By deciphering the botnet's malicious modules and command and control system, Sophos has figured out how Qakbot receives its instructions.
The Qakbot chain of infection
In the campaign analyzed by Sophos, the botnet inserted malicious messages into existing email traffic. The emails contain a short sentence and a link to download a zip file containing a malicious Excel file. Users were prompted to enable content to activate the infection chain. Once the botnet had infected a new target, it would perform a detailed profile scan, share the data with its command-and-control server, and then download at least three different malicious modules in the form of dynamic-link libraries (DLLs). give the botnet a wider range of capabilities.
The imported modules consisted of:
- A module that injects password-stealing code into websites
- A module that performs network scans and collects data about other machines close to the infected machine
- A module that looks up the addresses of a dozen SMTP (Simple Mail Transfer Protocol) email servers and then attempts to connect to each one and send spam
Known precursors to a ransomware attack
“Qakbot is a multi-purpose, modular botnet distributed via email. Cybercriminals are increasingly using it as a malware delivery tool, similar to Trickbot and Emotet,” said Andrew Brandt, Principal Threat Researcher at Sophos. "Our analysis demonstrates the collection of detailed victim profile data, the botnet's ability to process complex command sequences, and a number of modules that extend the functionality of the core botnet engine."
Botnet infections are a well-known precursor to a ransomware attack. This isn't just because botnets potentially deliver ransomware. Botnet developers can also sell or rent their access to the infected networks. For example, the Sophos teams have encountered Qakbot samples that deliver Cobalt Strike beacons, the first foot in the door to the corporate network, directly to an infected host. Once Qakbot operators have used the infected computer, they can give, rent or sell access to these beacons to their customers.
What to do against Qakbot?
Sophos recommends that you be cautious of unusual or unexpected emails, even if the messages appear to be replies to existing email traffic. In the Qakbot campaign Sophos investigated, the use of Latin phrases in URLs was a potential red flag.
In addition, security teams should verify that the behavioral protections provided by their security technologies prevent Qakbot infection. Network devices also alert administrators when an infected user attempts to connect to a known command-and-control address or domain. For more information, see the article “Qakbot Injects Itself into the Middle of Your Conversations” at SophosLabs.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.